openclaw-aegis 1.0.0

package/dist/cli/index.js

@@ -0,0 +1,2063 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// src/cli/index.ts
+var import_commander5 = require("commander");
+
+// src/cli/commands/status.ts
+var import_commander = require("commander");
+
+// src/config/loader.ts
+var fs = __toESM(require("fs"));
+var path = __toESM(require("path"));
+var os = __toESM(require("os"));
+var import_toml = __toESM(require("@iarna/toml"));
+
+// src/config/schema.ts
+var import_zod = require("zod");
+var alertChannelSchema = import_zod.z.discriminatedUnion("type", [
+  import_zod.z.object({
+    type: import_zod.z.literal("ntfy"),
+    url: import_zod.z.string().url().default("https://ntfy.sh"),
+    topic: import_zod.z.string().min(1),
+    priority: import_zod.z.number().int().min(1).max(5).default(4)
+  }),
+  import_zod.z.object({
+    type: import_zod.z.literal("webhook"),
+    url: import_zod.z.string().url(),
+    secret: import_zod.z.string().min(1).optional()
+  }),
+  import_zod.z.object({
+    type: import_zod.z.literal("telegram"),
+    botToken: import_zod.z.string().min(1),
+    chatId: import_zod.z.string().min(1)
+  }),
+  import_zod.z.object({
+    type: import_zod.z.literal("whatsapp"),
+    phoneNumberId: import_zod.z.string().min(1),
+    accessToken: import_zod.z.string().min(1),
+    recipientNumber: import_zod.z.string().min(1)
+  }),
+  import_zod.z.object({
+    type: import_zod.z.literal("slack"),
+    webhookUrl: import_zod.z.string().url(),
+    channel: import_zod.z.string().optional()
+  }),
+  import_zod.z.object({
+    type: import_zod.z.literal("discord"),
+    webhookUrl: import_zod.z.string().url(),
+    username: import_zod.z.string().optional()
+  }),
+  import_zod.z.object({
+    type: import_zod.z.literal("email"),
+    host: import_zod.z.string().min(1),
+    port: import_zod.z.number().int().min(1).max(65535).default(587),
+    secure: import_zod.z.boolean().default(false),
+    username: import_zod.z.string().min(1),
+    password: import_zod.z.string().min(1),
+    from: import_zod.z.string().min(1),
+    to: import_zod.z.string().min(1)
+  }),
+  import_zod.z.object({
+    type: import_zod.z.literal("pushover"),
+    apiToken: import_zod.z.string().min(1),
+    userKey: import_zod.z.string().min(1),
+    device: import_zod.z.string().optional()
+  })
+]);
+var aegisConfigSchema = import_zod.z.object({
+  gateway: import_zod.z.object({
+    configPath: import_zod.z.string().default("~/.openclaw/openclaw.json"),
+    pidFile: import_zod.z.string().default("openclaw-gateway.service"),
+    port: import_zod.z.number().int().min(1).max(65535).default(18789),
+    logPath: import_zod.z.string().default("~/.openclaw/logs/gateway.log"),
+    healthEndpoint: import_zod.z.string().default("/health")
+  }).default({}),
+  monitoring: import_zod.z.object({
+    intervalMs: import_zod.z.number().int().min(1e3).default(1e4),
+    probeTimeoutMs: import_zod.z.number().int().min(500).default(5e3),
+    configPollIntervalMs: import_zod.z.number().int().min(500).default(2e3),
+    degradedConfirmationCount: import_zod.z.number().int().min(1).default(2)
+  }).default({}),
+  health: import_zod.z.object({
+    healthyMin: import_zod.z.number().int().min(0).default(7),
+    degradedMin: import_zod.z.number().int().min(0).default(4),
+    memoryThresholdMb: import_zod.z.number().int().min(0).default(512),
+    cpuThresholdPercent: import_zod.z.number().int().min(0).max(100).default(90),
+    diskThresholdMb: import_zod.z.number().int().min(0).default(100)
+  }).default({}),
+  recovery: import_zod.z.object({
+    l1MaxAttempts: import_zod.z.number().int().min(1).default(3),
+    l1BackoffBaseMs: import_zod.z.number().int().min(1e3).default(5e3),
+    l1BackoffMultiplier: import_zod.z.number().min(1).default(3),
+    l2MaxAttempts: import_zod.z.number().int().min(1).default(2),
+    l2CooldownMs: import_zod.z.number().int().min(1e3).default(6e4),
+    circuitBreakerMaxCycles: import_zod.z.number().int().min(1).default(3),
+    circuitBreakerWindowMs: import_zod.z.number().int().min(6e4).default(36e5),
+    antiFlap: import_zod.z.object({
+      maxRestarts: import_zod.z.number().int().min(1).default(5),
+      windowMs: import_zod.z.number().int().min(6e4).default(9e5),
+      cooldownMs: import_zod.z.number().int().min(6e4).default(6e5),
+      decayMs: import_zod.z.number().int().min(6e4).default(216e5)
+    }).default({})
+  }).default({}),
+  backup: import_zod.z.object({
+    maxChronological: import_zod.z.number().int().min(1).default(20),
+    maxKnownGood: import_zod.z.number().int().min(1).default(3),
+    knownGoodStabilityMs: import_zod.z.number().int().min(1e4).default(6e4),
+    basePath: import_zod.z.string().default("~/.openclaw/aegis/backups")
+  }).default({}),
+  deadManSwitch: import_zod.z.object({
+    countdownMs: import_zod.z.number().int().min(5e3).default(3e4),
+    enabled: import_zod.z.boolean().default(true)
+  }).default({}),
+  alerts: import_zod.z.object({
+    channels: import_zod.z.array(alertChannelSchema).default([]),
+    retryAttempts: import_zod.z.number().int().min(0).default(3),
+    retryBackoffMs: import_zod.z.array(import_zod.z.number().int()).default([5e3, 15e3, 45e3])
+  }).default({}),
+  platform: import_zod.z.object({
+    type: import_zod.z.enum(["systemd", "launchd"]).default("systemd"),
+    watchdogSec: import_zod.z.number().int().min(10).default(30)
+  }).default({})
+});
+
+// src/config/loader.ts
+function expandHome(filepath) {
+  if (filepath.startsWith("~/")) {
+    return path.join(os.homedir(), filepath.slice(2));
+  }
+  return filepath;
+}
+function resolveConfigPaths(config) {
+  return {
+    ...config,
+    gateway: {
+      ...config.gateway,
+      configPath: expandHome(config.gateway.configPath),
+      pidFile: expandHome(config.gateway.pidFile),
+      logPath: expandHome(config.gateway.logPath)
+    },
+    backup: {
+      ...config.backup,
+      basePath: expandHome(config.backup.basePath)
+    }
+  };
+}
+function loadConfig(configPath) {
+  const resolvedPath = expandHome(configPath);
+  if (!fs.existsSync(resolvedPath)) {
+    const defaults = aegisConfigSchema.parse({});
+    return resolveConfigPaths(defaults);
+  }
+  const raw = fs.readFileSync(resolvedPath, "utf-8");
+  const parsed = import_toml.default.parse(raw);
+  const validated = aegisConfigSchema.parse(parsed);
+  return resolveConfigPaths(validated);
+}
+var DEFAULT_CONFIG_PATH = "~/.openclaw/aegis/config.toml";
+function getConfigDir() {
+  return expandHome("~/.openclaw/aegis");
+}
+function ensureConfigDir() {
+  const dir = getConfigDir();
+  fs.mkdirSync(dir, { recursive: true, mode: 448 });
+}
+
+// src/health/monitor.ts
+var import_node_events = require("events");
+
+// src/types/index.ts
+var PROBE_WEIGHTS = {
+  process: 2,
+  port: 2,
+  http: 2,
+  config: 2,
+  websocket: 1,
+  tun: 1,
+  memory: 1,
+  cpu: 1,
+  disk: 1,
+  logTail: 1
+};
+var MAX_HEALTH_SCORE = Object.values(PROBE_WEIGHTS).reduce((a, b) => a + b, 0) * 2;
+
+// src/health/scoring.ts
+var DEFAULT_THRESHOLDS = {
+  healthyMin: 7,
+  degradedMin: 4
+};
+function computeHealthScore(results, thresholds = DEFAULT_THRESHOLDS) {
+  let rawTotal = 0;
+  for (const result of results) {
+    const weight = PROBE_WEIGHTS[result.name] ?? 1;
+    rawTotal += result.score * weight;
+  }
+  const normalized = MAX_HEALTH_SCORE > 0 ? Math.round(rawTotal / MAX_HEALTH_SCORE * 10) : 0;
+  const band = classifyBand(normalized, thresholds);
+  return { total: normalized, band, probeResults: results };
+}
+function classifyBand(score, thresholds) {
+  if (score >= thresholds.healthyMin) return "healthy";
+  if (score >= thresholds.degradedMin) return "degraded";
+  return "critical";
+}
+var DegradedConfirmation = class {
+  consecutiveDegradedCount = 0;
+  requiredCount;
+  constructor(requiredCount = 2) {
+    this.requiredCount = requiredCount;
+  }
+  update(band) {
+    if (band === "degraded") {
+      this.consecutiveDegradedCount++;
+      return this.consecutiveDegradedCount >= this.requiredCount;
+    }
+    if (band === "critical") {
+      this.consecutiveDegradedCount = 0;
+      return true;
+    }
+    this.consecutiveDegradedCount = 0;
+    return false;
+  }
+  reset() {
+    this.consecutiveDegradedCount = 0;
+  }
+  getCount() {
+    return this.consecutiveDegradedCount;
+  }
+};
+
+// src/health/probes/resolve-pid.ts
+var fs2 = __toESM(require("fs"));
+var import_node_child_process = require("child_process");
+function resolvePid(pidSource) {
+  if (pidSource.endsWith(".service") || !pidSource.includes("/")) {
+    const pid = resolveFromSystemd(pidSource);
+    if (pid !== null) return pid;
+  }
+  return resolveFromFile(pidSource);
+}
+function resolveFromSystemd(unit) {
+  try {
+    const output = (0, import_node_child_process.execFileSync)(
+      "systemctl",
+      ["--user", "show", "-p", "MainPID", "--value", unit],
+      { encoding: "utf-8", timeout: 3e3, stdio: ["pipe", "pipe", "pipe"] }
+    ).trim();
+    const pid = parseInt(output, 10);
+    if (!isNaN(pid) && pid > 0) return pid;
+    return null;
+  } catch {
+    return null;
+  }
+}
+function resolveFromFile(pidFile) {
+  try {
+    if (!fs2.existsSync(pidFile)) return null;
+    const pidStr = fs2.readFileSync(pidFile, "utf-8").trim();
+    const pid = parseInt(pidStr, 10);
+    if (!isNaN(pid) && pid > 0) return pid;
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+// src/health/probes/process.ts
+async function processProbe(_target, pidSource) {
+  const start = Date.now();
+  try {
+    const pid = resolvePid(pidSource);
+    if (pid === null) {
+      return {
+        name: "process",
+        healthy: false,
+        score: 0,
+        message: "Gateway process not found (checked systemd unit and PID file)",
+        latencyMs: Date.now() - start
+      };
+    }
+    try {
+      process.kill(pid, 0);
+      return {
+        name: "process",
+        healthy: true,
+        score: 2,
+        latencyMs: Date.now() - start
+      };
+    } catch {
+      return {
+        name: "process",
+        healthy: false,
+        score: 0,
+        message: `Process ${pid} not running (stale PID)`,
+        latencyMs: Date.now() - start
+      };
+    }
+  } catch (err) {
+    return {
+      name: "process",
+      healthy: false,
+      score: 0,
+      message: `Process probe error: ${err instanceof Error ? err.message : String(err)}`,
+      latencyMs: Date.now() - start
+    };
+  }
+}
+
+// src/health/probes/port.ts
+var net = __toESM(require("net"));
+async function portProbe(target, port, timeoutMs = 5e3) {
+  const start = Date.now();
+  const host = target.type === "remote" ? target.host : "127.0.0.1";
+  return new Promise((resolve) => {
+    const socket = new net.Socket();
+    let resolved = false;
+    const finish = (result) => {
+      if (!resolved) {
+        resolved = true;
+        socket.destroy();
+        resolve(result);
+      }
+    };
+    socket.setTimeout(timeoutMs);
+    socket.connect(port, host, () => {
+      finish({
+        name: "port",
+        healthy: true,
+        score: 2,
+        latencyMs: Date.now() - start
+      });
+    });
+    socket.on("error", (err) => {
+      finish({
+        name: "port",
+        healthy: false,
+        score: 0,
+        message: `Port ${port} unreachable: ${err.message}`,
+        latencyMs: Date.now() - start
+      });
+    });
+    socket.on("timeout", () => {
+      finish({
+        name: "port",
+        healthy: false,
+        score: 0,
+        message: `Port ${port} connection timed out after ${timeoutMs}ms`,
+        latencyMs: Date.now() - start
+      });
+    });
+  });
+}
+
+// src/health/probes/http.ts
+var http = __toESM(require("http"));
+async function httpHealthProbe(target, port, endpoint = "/health", timeoutMs = 5e3) {
+  const start = Date.now();
+  const host = target.type === "remote" ? target.host : "127.0.0.1";
+  return new Promise((resolve) => {
+    const req = http.get(
+      {
+        hostname: host,
+        port,
+        path: endpoint,
+        timeout: timeoutMs
+      },
+      (res) => {
+        const statusCode = res.statusCode ?? 0;
+        res.resume();
+        if (statusCode >= 200 && statusCode < 300) {
+          resolve({
+            name: "http",
+            healthy: true,
+            score: 2,
+            latencyMs: Date.now() - start
+          });
+        } else {
+          resolve({
+            name: "http",
+            healthy: false,
+            score: 0,
+            message: `HTTP health returned status ${statusCode}`,
+            latencyMs: Date.now() - start
+          });
+        }
+      }
+    );
+    req.on("error", (err) => {
+      resolve({
+        name: "http",
+        healthy: false,
+        score: 0,
+        message: `HTTP health probe failed: ${err.message}`,
+        latencyMs: Date.now() - start
+      });
+    });
+    req.on("timeout", () => {
+      req.destroy();
+      resolve({
+        name: "http",
+        healthy: false,
+        score: 0,
+        message: `HTTP health probe timed out after ${timeoutMs}ms`,
+        latencyMs: Date.now() - start
+      });
+    });
+  });
+}
+
+// src/health/probes/config.ts
+var fs3 = __toESM(require("fs"));
+var REQUIRED_CONFIG_PATHS = [
+  { path: ["gateway", "port"], label: "gateway.port" }
+];
+var POISON_KEYS = ["autoAck", "autoAckMessage"];
+async function configProbe(_target, configPath) {
+  const start = Date.now();
+  try {
+    if (!fs3.existsSync(configPath)) {
+      return {
+        name: "config",
+        healthy: false,
+        score: 0,
+        message: "Gateway config file not found",
+        latencyMs: Date.now() - start
+      };
+    }
+    const raw = fs3.readFileSync(configPath, "utf-8");
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      return {
+        name: "config",
+        healthy: false,
+        score: 0,
+        message: "Gateway config is not valid JSON",
+        latencyMs: Date.now() - start
+      };
+    }
+    const missingPaths = REQUIRED_CONFIG_PATHS.filter(({ path: path3 }) => {
+      let obj = parsed;
+      for (const key of path3) {
+        if (obj === null || typeof obj !== "object" || !(key in obj)) return true;
+        obj = obj[key];
+      }
+      return false;
+    });
+    if (missingPaths.length > 0) {
+      return {
+        name: "config",
+        healthy: false,
+        score: 0,
+        message: `Missing required config keys: ${missingPaths.map((p) => p.label).join(", ")}`,
+        latencyMs: Date.now() - start
+      };
+    }
+    const foundPoison = POISON_KEYS.filter((key) => key in parsed);
+    if (foundPoison.length > 0) {
+      return {
+        name: "config",
+        healthy: false,
+        score: 0,
+        message: `Poison keys detected: ${foundPoison.join(", ")}`,
+        latencyMs: Date.now() - start
+      };
+    }
+    return {
+      name: "config",
+      healthy: true,
+      score: 2,
+      latencyMs: Date.now() - start
+    };
+  } catch (err) {
+    return {
+      name: "config",
+      healthy: false,
+      score: 0,
+      message: `Config probe error: ${err instanceof Error ? err.message : String(err)}`,
+      latencyMs: Date.now() - start
+    };
+  }
+}
+
+// src/health/probes/tun.ts
+var fs4 = __toESM(require("fs"));
+var import_node_child_process2 = require("child_process");
+var import_node_util = require("util");
+var execFileAsync = (0, import_node_util.promisify)(import_node_child_process2.execFile);
+async function tunProbe(_target) {
+  const start = Date.now();
+  try {
+    const tunDevices = fs4.readdirSync("/sys/class/net").filter((dev) => {
+      try {
+        const type = fs4.readFileSync(`/sys/class/net/${dev}/type`, "utf-8").trim();
+        return type === "65534";
+      } catch {
+        return false;
+      }
+    });
+    if (tunDevices.length === 0) {
+      return {
+        name: "tun",
+        healthy: true,
+        score: 2,
+        message: "No TUN device configured (not required)",
+        latencyMs: Date.now() - start
+      };
+    }
+    const tunDev = tunDevices[0];
+    if (!tunDev) {
+      return {
+        name: "tun",
+        healthy: true,
+        score: 2,
+        message: "No TUN device configured (not required)",
+        latencyMs: Date.now() - start
+      };
+    }
+    const { stdout } = await execFileAsync("ip", ["link", "show", tunDev]);
+    const isUp = stdout.includes("state UP") || stdout.includes(",UP");
+    return {
+      name: "tun",
+      healthy: isUp,
+      score: isUp ? 2 : 0,
+      message: isUp ? void 0 : `TUN device ${tunDev} is DOWN`,
+      latencyMs: Date.now() - start
+    };
+  } catch {
+    return {
+      name: "tun",
+      healthy: true,
+      score: 2,
+      message: "TUN probe skipped (not available on this platform)",
+      latencyMs: Date.now() - start
+    };
+  }
+}
+
+// src/health/probes/memory.ts
+var fs5 = __toESM(require("fs"));
+async function memoryProbe(_target, pidSource, thresholdMb = 512) {
+  const start = Date.now();
+  try {
+    const pid = resolvePid(pidSource);
+    if (pid === null) {
+      return {
+        name: "memory",
+        healthy: false,
+        score: 0,
+        message: "Gateway process not found \u2014 cannot check memory",
+        latencyMs: Date.now() - start
+      };
+    }
+    const statusPath = `/proc/${pid}/status`;
+    if (!fs5.existsSync(statusPath)) {
+      return {
+        name: "memory",
+        healthy: false,
+        score: 0,
+        message: `Process ${pid} not found in /proc`,
+        latencyMs: Date.now() - start
+      };
+    }
+    const status = fs5.readFileSync(statusPath, "utf-8");
+    const rssMatch = status.match(/VmRSS:\s+(\d+)\s+kB/);
+    if (!rssMatch) {
+      return {
+        name: "memory",
+        healthy: true,
+        score: 1,
+        message: "Could not parse RSS from /proc status",
+        latencyMs: Date.now() - start
+      };
+    }
+    const rssKb = parseInt(rssMatch[1] ?? "0", 10);
+    const rssMb = rssKb / 1024;
+    const healthy = rssMb < thresholdMb;
+    return {
+      name: "memory",
+      healthy,
+      score: healthy ? 2 : 0,
+      message: healthy ? void 0 : `RSS ${rssMb.toFixed(0)}MB exceeds threshold ${thresholdMb}MB`,
+      latencyMs: Date.now() - start
+    };
+  } catch (err) {
+    return {
+      name: "memory",
+      healthy: false,
+      score: 0,
+      message: `Memory probe error: ${err instanceof Error ? err.message : String(err)}`,
+      latencyMs: Date.now() - start
+    };
+  }
+}
+
+// src/health/probes/cpu.ts
+var fs6 = __toESM(require("fs"));
+async function cpuProbe(_target, pidSource, thresholdPercent = 90, sampleMs = 1e3) {
+  const start = Date.now();
+  try {
+    const pid = resolvePid(pidSource);
+    if (pid === null) {
+      return {
+        name: "cpu",
+        healthy: false,
+        score: 0,
+        message: "Gateway process not found \u2014 cannot check CPU",
+        latencyMs: Date.now() - start
+      };
+    }
+    const statPath = `/proc/${pid}/stat`;
+    if (!fs6.existsSync(statPath)) {
+      return {
+        name: "cpu",
+        healthy: false,
+        score: 0,
+        message: `Process ${pid} not found in /proc`,
+        latencyMs: Date.now() - start
+      };
+    }
+    const readCpuTime = () => {
+      const stat = fs6.readFileSync(statPath, "utf-8");
+      const fields = stat.split(" ");
+      const utime = parseInt(fields[13] ?? "0", 10) || 0;
+      const stime = parseInt(fields[14] ?? "0", 10) || 0;
+      return utime + stime;
+    };
+    const cpuTime1 = readCpuTime();
+    await new Promise((r) => setTimeout(r, sampleMs));
+    const cpuTime2 = readCpuTime();
+    const clockTicks = 100;
+    const cpuDelta = (cpuTime2 - cpuTime1) / clockTicks;
+    const cpuPercent = cpuDelta / (sampleMs / 1e3) * 100;
+    const healthy = cpuPercent < thresholdPercent;
+    return {
+      name: "cpu",
+      healthy,
+      score: healthy ? 2 : 0,
+      message: healthy ? void 0 : `CPU ${cpuPercent.toFixed(1)}% exceeds threshold ${thresholdPercent}%`,
+      latencyMs: Date.now() - start
+    };
+  } catch (err) {
+    return {
+      name: "cpu",
+      healthy: false,
+      score: 0,
+      message: `CPU probe error: ${err instanceof Error ? err.message : String(err)}`,
+      latencyMs: Date.now() - start
+    };
+  }
+}
+
+// src/health/probes/disk.ts
+var import_node_child_process3 = require("child_process");
+var import_node_util2 = require("util");
+var path2 = __toESM(require("path"));
+var execFileAsync2 = (0, import_node_util2.promisify)(import_node_child_process3.execFile);
+async function diskProbe(_target, configPath, thresholdMb = 100) {
+  const start = Date.now();
+  try {
+    const dir = path2.dirname(configPath);
+    const { stdout } = await execFileAsync2("df", ["-BM", "--output=avail", dir]);
+    const lines = stdout.trim().split("\n");
+    const lastLine = lines[lines.length - 1];
+    if (!lastLine) {
+      return {
+        name: "disk",
+        healthy: true,
+        score: 1,
+        message: "Could not parse df output",
+        latencyMs: Date.now() - start
+      };
+    }
+    const availStr = lastLine.trim().replace("M", "");
+    const availMb = parseInt(availStr, 10);
+    if (isNaN(availMb)) {
+      return {
+        name: "disk",
+        healthy: true,
+        score: 1,
+        message: "Could not parse disk space",
+        latencyMs: Date.now() - start
+      };
+    }
+    const healthy = availMb >= thresholdMb;
+    return {
+      name: "disk",
+      healthy,
+      score: healthy ? 2 : 0,
+      message: healthy ? void 0 : `Only ${availMb}MB available (threshold: ${thresholdMb}MB)`,
+      latencyMs: Date.now() - start
+    };
+  } catch (err) {
+    return {
+      name: "disk",
+      healthy: true,
+      score: 1,
+      message: `Disk probe fallback: ${err instanceof Error ? err.message : String(err)}`,
+      latencyMs: Date.now() - start
+    };
+  }
+}
+
+// src/health/probes/log-tail.ts
+var fs7 = __toESM(require("fs"));
+var ERROR_PATTERNS = [
+  /ECONNRESET/,
+  /SIGTERM/,
+  /SIGKILL/,
+  /ENOMEM/,
+  /fatal\s+error/i,
+  /uncaught\s+exception/i,
+  /unhandled\s+rejection/i,
+  /out\s+of\s+memory/i,
+  /EACCES/,
+  /ENOSPC/
+];
+async function logTailProbe(_target, logPath, tailLines = 50) {
+  const start = Date.now();
+  try {
+    if (!fs7.existsSync(logPath)) {
+      return {
+        name: "logTail",
+        healthy: true,
+        score: 2,
+        message: "Log file not found (may not exist yet)",
+        latencyMs: Date.now() - start
+      };
+    }
+    const content = fs7.readFileSync(logPath, "utf-8");
+    const lines = content.split("\n").slice(-tailLines);
+    const recentText = lines.join("\n");
+    const matchedPatterns = ERROR_PATTERNS.filter((p) => p.test(recentText));
+    if (matchedPatterns.length === 0) {
+      return {
+        name: "logTail",
+        healthy: true,
+        score: 2,
+        latencyMs: Date.now() - start
+      };
+    }
+    const score = matchedPatterns.length >= 3 ? 0 : 1;
+    return {
+      name: "logTail",
+      healthy: false,
+      score,
+      message: `Error patterns in recent logs: ${matchedPatterns.map((p) => p.source).join(", ")}`,
+      latencyMs: Date.now() - start
+    };
+  } catch (err) {
+    return {
+      name: "logTail",
+      healthy: true,
+      score: 1,
+      message: `Log tail probe fallback: ${err instanceof Error ? err.message : String(err)}`,
+      latencyMs: Date.now() - start
+    };
+  }
+}
+
+// src/health/probes/websocket.ts
+var import_ws = __toESM(require("ws"));
+async function websocketProbe(target, port, timeoutMs = 5e3) {
+  const start = Date.now();
+  const host = target.type === "remote" ? target.host : "127.0.0.1";
+  const url = `ws://${host}:${port}`;
+  return new Promise((resolve) => {
+    let resolved = false;
+    const finish = (result) => {
+      if (!resolved) {
+        resolved = true;
+        resolve(result);
+      }
+    };
+    const timer = setTimeout(() => {
+      ws.terminate();
+      finish({
+        name: "websocket",
+        healthy: false,
+        score: 0,
+        message: `WebSocket handshake timed out after ${timeoutMs}ms`,
+        latencyMs: Date.now() - start
+      });
+    }, timeoutMs);
+    const ws = new import_ws.default(url, { handshakeTimeout: timeoutMs });
+    ws.on("open", () => {
+      clearTimeout(timer);
+      ws.close();
+      finish({
+        name: "websocket",
+        healthy: true,
+        score: 2,
+        latencyMs: Date.now() - start
+      });
+    });
+    ws.on("error", (err) => {
+      clearTimeout(timer);
+      ws.terminate();
+      finish({
+        name: "websocket",
+        healthy: false,
+        score: 0,
+        message: `WebSocket probe failed: ${err.message}`,
+        latencyMs: Date.now() - start
+      });
+    });
+  });
+}
+
+// src/health/monitor.ts
+var HealthMonitor = class extends import_node_events.EventEmitter {
+  constructor(config) {
+    super();
+    this.config = config;
+    this.degradedConfirmation = new DegradedConfirmation(
+      config.monitoring.degradedConfirmationCount
+    );
+  }
+  interval = null;
+  degradedConfirmation;
+  lastScore = null;
+  async runAllProbes() {
+    const target = { type: "local" };
+    const timeout = this.config.monitoring.probeTimeoutMs;
+    const withTimeout = async (fn, name) => {
+      try {
+        return await Promise.race([
+          fn(),
+          new Promise(
+            (resolve) => setTimeout(
+              () => resolve({
+                name,
+                healthy: false,
+                score: 0,
+                message: `Probe timed out after ${timeout}ms`,
+                latencyMs: timeout
+              }),
+              timeout
+            )
+          )
+        ]);
+      } catch (err) {
+        return {
+          name,
+          healthy: false,
+          score: 0,
+          message: `Probe error: ${err instanceof Error ? err.message : String(err)}`,
+          latencyMs: 0
+        };
+      }
+    };
+    const results = await Promise.allSettled([
+      withTimeout(() => processProbe(target, this.config.gateway.pidFile), "process"),
+      withTimeout(() => portProbe(target, this.config.gateway.port, timeout), "port"),
+      withTimeout(
+        () => httpHealthProbe(
+          target,
+          this.config.gateway.port,
+          this.config.gateway.healthEndpoint,
+          timeout
+        ),
+        "http"
+      ),
+      withTimeout(() => configProbe(target, this.config.gateway.configPath), "config"),
+      withTimeout(() => tunProbe(target), "tun"),
+      withTimeout(
+        () => memoryProbe(target, this.config.gateway.pidFile, this.config.health.memoryThresholdMb),
+        "memory"
+      ),
+      withTimeout(
+        () => cpuProbe(target, this.config.gateway.pidFile, this.config.health.cpuThresholdPercent),
+        "cpu"
+      ),
+      withTimeout(
+        () => diskProbe(target, this.config.gateway.configPath, this.config.health.diskThresholdMb),
+        "disk"
+      ),
+      withTimeout(() => logTailProbe(target, this.config.gateway.logPath), "logTail"),
+      withTimeout(
+        () => websocketProbe(target, this.config.gateway.port, timeout),
+        "websocket"
+      )
+    ]);
+    const probeResults = results.map((r, i) => {
+      if (r.status === "fulfilled") return r.value;
+      const names = [
+        "process",
+        "port",
+        "http",
+        "config",
+        "tun",
+        "memory",
+        "cpu",
+        "disk",
+        "logTail",
+        "websocket"
+      ];
+      return {
+        name: names[i] ?? "unknown",
+        healthy: false,
+        score: 0,
+        message: `Probe rejected: ${r.reason instanceof Error ? r.reason.message : String(r.reason)}`,
+        latencyMs: 0
+      };
+    });
+    const score = computeHealthScore(probeResults, {
+      healthyMin: this.config.health.healthyMin,
+      degradedMin: this.config.health.degradedMin
+    });
+    this.lastScore = score;
+    const shouldEscalate = this.degradedConfirmation.update(score.band);
+    this.emit("check", score);
+    if (shouldEscalate && score.band !== "healthy") {
+      this.emit("escalate", score);
+    }
+    return score;
+  }
+  start() {
+    this.interval = setInterval(() => {
+      void this.runAllProbes();
+    }, this.config.monitoring.intervalMs);
+  }
+  stop() {
+    if (this.interval) {
+      clearInterval(this.interval);
+      this.interval = null;
+    }
+  }
+  getLastScore() {
+    return this.lastScore;
+  }
+};
+
+// src/cli/commands/status.ts
+var statusCommand = new import_commander.Command("status").description("Show current health status and recovery stats").option("-c, --config <path>", "Config file path", DEFAULT_CONFIG_PATH).action(async (opts) => {
+  const config = loadConfig(opts.config);
+  const monitor = new HealthMonitor(config);
+  const score = await monitor.runAllProbes();
+  const bandColors = {
+    healthy: "\x1B[32m",
+    degraded: "\x1B[33m",
+    critical: "\x1B[31m"
+  };
+  const reset = "\x1B[0m";
+  const color = bandColors[score.band] ?? "";
+  process.stdout.write(`
+Health: ${color}${score.band.toUpperCase()}${reset} (score: ${score.total})
+
+`);
+  for (const probe of score.probeResults) {
+    const icon = probe.healthy ? "\x1B[32m+\x1B[0m" : "\x1B[31m-\x1B[0m";
+    const msg = probe.message ? ` \u2014 ${probe.message}` : "";
+    process.stdout.write(`  ${icon} ${probe.name} (${probe.latencyMs}ms)${msg}
+`);
+  }
+  if (config.alerts.channels.length === 0) {
+    process.stdout.write(
+      `
+\x1B[33mWARNING: No alert channels configured. Aegis cannot notify you during incidents. Run 'aegis init' to add alerts.\x1B[0m
+`
+    );
+  }
+  process.stdout.write("\n");
+});
+
+// src/cli/commands/check.ts
+var import_commander2 = require("commander");
+var checkCommand = new import_commander2.Command("check").description("Run all health probes once and exit").option("-c, --config <path>", "Config file path", DEFAULT_CONFIG_PATH).option("--json", "Output as JSON").action(async (opts) => {
+  const config = loadConfig(opts.config);
+  const monitor = new HealthMonitor(config);
+  const score = await monitor.runAllProbes();
+  if (opts.json) {
+    process.stdout.write(JSON.stringify(score, null, 2) + "\n");
+  } else {
+    const failed = score.probeResults.filter((p) => !p.healthy);
+    process.stdout.write(`Health: ${score.band.toUpperCase()} (score: ${score.total})
+`);
+    process.stdout.write(`Probes: ${score.probeResults.length - failed.length} passed, ${failed.length} failed
+`);
+    if (failed.length > 0) {
+      process.stdout.write("\nFailed probes:\n");
+      for (const probe of failed) {
+        process.stdout.write(`  - ${probe.name}: ${probe.message ?? "failed"}
+`);
+      }
+    }
+  }
+  process.exit(score.band === "healthy" ? 0 : 1);
+});
+
+// src/cli/commands/init.ts
+var import_commander3 = require("commander");
+var fs8 = __toESM(require("fs"));
+var readline = __toESM(require("readline"));
+function ask(rl, question, defaultValue) {
+  const suffix = defaultValue ? ` [${defaultValue}]` : "";
+  return new Promise((resolve) => {
+    rl.question(`${question}${suffix}: `, (answer) => {
+      resolve(answer.trim() || defaultValue || "");
+    });
+  });
+}
+function detectPort() {
+  try {
+    const configPath = expandHome("~/.openclaw/openclaw.json");
+    if (fs8.existsSync(configPath)) {
+      const raw = JSON.parse(fs8.readFileSync(configPath, "utf-8"));
+      if (raw?.gateway?.port) return raw.gateway.port;
+    }
+  } catch {
+  }
+  return 3e3;
+}
+function generateToml(opts) {
+  let toml = `# OpenClaw Aegis Configuration
+# Generated by 'aegis init'
+
+[gateway]
+configPath = "~/.openclaw/openclaw.json"
+pidFile = "openclaw-gateway.service"
+port = ${opts.port}
+logPath = "~/.openclaw/logs/gateway.log"
+healthEndpoint = "/health"
+
+[monitoring]
+intervalMs = 10000
+probeTimeoutMs = 5000
+
+[health]
+memoryThresholdMb = ${opts.memoryThresholdMb}
+cpuThresholdPercent = 90
+diskThresholdMb = 100
+
+[recovery]
+l1MaxAttempts = 3
+l2MaxAttempts = 2
+
+[backup]
+maxKnownGood = 5
+knownGoodStabilityMs = 60000
+
+[deadManSwitch]
+enabled = true
+countdownMs = 30000
+
+[platform]
+type = "systemd"
+`;
+  if (opts.channels.length > 0) {
+    toml += "\n[alerts]\n";
+    for (const ch of opts.channels) {
+      toml += "\n[[alerts.channels]]\n";
+      for (const [key, val] of Object.entries(ch)) {
+        if (typeof val === "number") {
+          toml += `${key} = ${val}
+`;
+        } else {
+          toml += `${key} = "${val}"
+`;
+        }
+      }
+    }
+  }
+  return toml;
+}
+var initCommand = new import_commander3.Command("init").description("Interactive setup wizard \u2014 configure Aegis for your gateway").option("--auto", "Auto-detect everything, no prompts").action(async (opts) => {
+  const configDir = getConfigDir();
+  const configFile = expandHome(DEFAULT_CONFIG_PATH);
+  if (fs8.existsSync(configFile) && !opts.auto) {
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    const overwrite = await ask(rl, "Config already exists. Overwrite? (y/N)", "n");
+    if (overwrite.toLowerCase() !== "y") {
+      console.log("Aborted.");
+      rl.close();
+      return;
+    }
+    rl.close();
+  }
+  const detectedPort = detectPort();
+  const channels = [];
+  if (opts.auto) {
+    console.log("Auto-detecting configuration...");
+    console.log(`  Gateway port: ${detectedPort}`);
+    console.log(`  PID source: openclaw-gateway.service (systemd)`);
+    console.log(`  Memory threshold: 768MB`);
+  } else {
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    console.log("\n  OpenClaw Aegis \u2014 Setup Wizard\n");
+    console.log("  Detected gateway config at ~/.openclaw/openclaw.json");
+    console.log(`  Detected gateway port: ${detectedPort}
+`);
+    const portStr = await ask(rl, "Gateway port", String(detectedPort));
+    const port = parseInt(portStr, 10) || detectedPort;
+    const memStr = await ask(rl, "Memory threshold (MB)", "768");
+    const memThreshold = parseInt(memStr, 10) || 768;
+    console.log("\n  Alert Channels (out-of-band \u2014 never through the gateway)\n");
+    console.log("  Supported: ntfy, telegram, whatsapp, slack, discord, email, pushover, webhook\n");
+    let addMore = true;
+    while (addMore) {
+      const channelType = await ask(rl, "Add alert channel? (ntfy/telegram/whatsapp/slack/discord/email/pushover/webhook/skip)", "skip");
+      if (channelType === "skip" || channelType === "") {
+        addMore = false;
+        continue;
+      }
+      switch (channelType) {
+        case "ntfy": {
+          const topic = await ask(rl, "  ntfy topic", "aegis-alerts");
+          const url = await ask(rl, "  ntfy server URL", "https://ntfy.sh");
+          channels.push({ type: "ntfy", topic, url, priority: 4 });
+          console.log(`  Added ntfy channel (${url}/${topic})
+`);
+          break;
+        }
+        case "telegram": {
+          const botToken = await ask(rl, "  Telegram bot token");
+          const chatId = await ask(rl, "  Telegram chat ID");
+          if (botToken && chatId) {
+            channels.push({ type: "telegram", botToken, chatId });
+            console.log("  Added Telegram channel\n");
+          } else {
+            console.log("  Skipped \u2014 bot token and chat ID required\n");
+          }
+          break;
+        }
+        case "whatsapp": {
+          const phoneNumberId = await ask(rl, "  WhatsApp Business phone number ID");
+          const accessToken = await ask(rl, "  WhatsApp Cloud API access token");
+          const recipientNumber = await ask(rl, "  Recipient phone number (with country code, e.g. 61412345678)");
+          if (phoneNumberId && accessToken && recipientNumber) {
+            channels.push({ type: "whatsapp", phoneNumberId, accessToken, recipientNumber });
+            console.log("  Added WhatsApp channel\n");
+          } else {
+            console.log("  Skipped \u2014 all three fields required\n");
+          }
+          break;
+        }
+        case "slack": {
+          const webhookUrl = await ask(rl, "  Slack Incoming Webhook URL");
+          if (webhookUrl) {
+            const channel = await ask(rl, "  Slack channel override (optional, e.g. #alerts)");
+            const ch = { type: "slack", webhookUrl };
+            if (channel) ch.channel = channel;
+            channels.push(ch);
+            console.log("  Added Slack channel\n");
+          } else {
+            console.log("  Skipped \u2014 webhook URL required\n");
+          }
+          break;
+        }
+        case "discord": {
+          const webhookUrl = await ask(rl, "  Discord Webhook URL");
+          if (webhookUrl) {
+            const username = await ask(rl, "  Bot display name (optional)", "Aegis");
+            const ch = { type: "discord", webhookUrl };
+            if (username && username !== "Aegis") ch.username = username;
+            channels.push(ch);
+            console.log("  Added Discord channel\n");
+          } else {
+            console.log("  Skipped \u2014 webhook URL required\n");
+          }
+          break;
+        }
+        case "email": {
+          const host = await ask(rl, "  SMTP host (e.g. smtp.gmail.com)");
+          const portStr2 = await ask(rl, "  SMTP port", "587");
+          const username = await ask(rl, "  SMTP username");
+          const password = await ask(rl, "  SMTP password");
+          const from = await ask(rl, "  From address");
+          const to = await ask(rl, "  To address");
+          if (host && username && password && from && to) {
+            channels.push({
+              type: "email",
+              host,
+              port: parseInt(portStr2, 10) || 587,
+              secure: 0,
+              username,
+              password,
+              from,
+              to
+            });
+            console.log("  Added Email channel\n");
+          } else {
+            console.log("  Skipped \u2014 all fields required\n");
+          }
+          break;
+        }
+        case "pushover": {
+          const apiToken = await ask(rl, "  Pushover API token (from your app)");
+          const userKey = await ask(rl, "  Pushover user key");
+          if (apiToken && userKey) {
+            const device = await ask(rl, "  Device name (optional)");
+            const ch = { type: "pushover", apiToken, userKey };
+            if (device) ch.device = device;
+            channels.push(ch);
+            console.log("  Added Pushover channel\n");
+          } else {
+            console.log("  Skipped \u2014 API token and user key required\n");
+          }
+          break;
+        }
+        case "webhook": {
+          const url = await ask(rl, "  Webhook URL");
+          if (url) {
+            const secret = await ask(rl, "  Webhook secret (optional)");
+            const ch = { type: "webhook", url };
+            if (secret) ch.secret = secret;
+            channels.push(ch);
+            console.log(`  Added webhook channel (${url})
+`);
+          } else {
+            console.log("  Skipped \u2014 URL required\n");
+          }
+          break;
+        }
+        default:
+          console.log(`  Unknown channel type: ${channelType}
+`);
+      }
+    }
+    rl.close();
+    const toml2 = generateToml({ port, memoryThresholdMb: memThreshold, channels });
+    ensureConfigDir();
+    fs8.writeFileSync(configFile, toml2, { mode: 384 });
+    console.log(`
+  Config written to ${configFile}`);
+    console.log("\n  Running health check...\n");
+    const config2 = loadConfig(configFile);
+    const monitor2 = new HealthMonitor(config2);
+    const score2 = await monitor2.runAllProbes();
+    const passed2 = score2.probeResults.filter((p) => p.healthy).length;
+    const failed = score2.probeResults.filter((p) => !p.healthy);
+    console.log(`  Health: ${score2.band.toUpperCase()} (${passed2}/${score2.probeResults.length} probes passed)`);
+    if (failed.length > 0) {
+      for (const probe of failed) {
+        console.log(`    - ${probe.name}: ${probe.message ?? "failed"}`);
+      }
+    }
+    if (channels.length === 0) {
+      console.log("\n  No alert channels configured. You can add them later by editing:");
+      console.log(`  ${configFile}`);
+    }
+    console.log("\n  Setup complete. Run 'aegis check' to verify anytime.\n");
+    return;
+  }
+  const toml = generateToml({ port: detectedPort, memoryThresholdMb: 768, channels });
+  ensureConfigDir();
+  fs8.writeFileSync(configFile, toml, { mode: 384 });
+  console.log(`Config written to ${configFile}`);
+  const config = loadConfig(configFile);
+  const monitor = new HealthMonitor(config);
+  const score = await monitor.runAllProbes();
+  const passed = score.probeResults.filter((p) => p.healthy).length;
+  console.log(`Health: ${score.band.toUpperCase()} (${passed}/${score.probeResults.length} probes passed)`);
+  console.log("\nSetup complete.");
+});
+
+// src/cli/commands/test-alert.ts
+var import_commander4 = require("commander");
+
+// src/alerts/dispatcher.ts
+var AlertDispatcher = class {
+  providers = [];
+  retryBackoffMs;
+  retryAttempts;
+  constructor(retryAttempts = 3, retryBackoffMs = [5e3, 15e3, 45e3]) {
+    this.retryAttempts = retryAttempts;
+    this.retryBackoffMs = retryBackoffMs;
+  }
+  addProvider(provider) {
+    this.providers.push(provider);
+  }
+  getProviders() {
+    return [...this.providers];
+  }
+  hasProviders() {
+    return this.providers.length > 0;
+  }
+  async dispatch(alert) {
+    if (this.providers.length === 0) {
+      return { sent: false, results: [], allFailed: true };
+    }
+    const scrubbed = scrubSensitiveData(alert);
+    const results = [];
+    for (const provider of this.providers) {
+      const result = await this.sendWithRetry(provider, scrubbed);
+      results.push(result);
+    }
+    const anySuccess = results.some((r) => r.success);
+    return { sent: anySuccess, results, allFailed: !anySuccess };
+  }
+  async testAll() {
+    const results = /* @__PURE__ */ new Map();
+    for (const provider of this.providers) {
+      try {
+        const ok = await provider.test();
+        results.set(provider.name, ok);
+      } catch {
+        results.set(provider.name, false);
+      }
+    }
+    return results;
+  }
+  async sendWithRetry(provider, alert) {
+    let lastResult = {
+      provider: provider.name,
+      success: false,
+      error: "No attempts made",
+      durationMs: 0
+    };
+    for (let attempt = 0; attempt <= this.retryAttempts; attempt++) {
+      try {
+        lastResult = await provider.send(alert);
+        if (lastResult.success) return lastResult;
+      } catch (err) {
+        lastResult = {
+          provider: provider.name,
+          success: false,
+          error: err instanceof Error ? err.message : String(err),
+          durationMs: 0
+        };
+      }
+      if (attempt < this.retryAttempts) {
+        const delay = this.retryBackoffMs[attempt] ?? this.retryBackoffMs[this.retryBackoffMs.length - 1] ?? 5e3;
+        await new Promise((r) => setTimeout(r, delay));
+      }
+    }
+    return lastResult;
+  }
+};
+function scrubSensitiveData(alert) {
+  return {
+    ...alert,
+    body: scrubString(alert.body),
+    title: scrubString(alert.title)
+  };
+}
+function scrubString(input) {
+  return input.replace(
+    /("[^"]*(?:key|secret|token|password|credential|auth)[^"]*"\s*:\s*)"[^"]*"/gi,
+    '$1"[REDACTED]"'
+  );
+}
+
+// src/alerts/providers/ntfy.ts
+var NtfyProvider = class {
+  name = "ntfy";
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  async send(alert) {
+    const start = Date.now();
+    const url = `${this.config.url}/${this.config.topic}`;
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Title": alert.title,
+          "Priority": String(this.config.priority),
+          "Tags": alertSeverityToTag(alert.severity)
+        },
+        body: alert.body
+      });
+      return {
+        provider: this.name,
+        success: response.ok,
+        error: response.ok ? void 0 : `HTTP ${response.status}`,
+        durationMs: Date.now() - start
+      };
+    } catch (err) {
+      return {
+        provider: this.name,
+        success: false,
+        error: err instanceof Error ? err.message : String(err),
+        durationMs: Date.now() - start
+      };
+    }
+  }
+  async test() {
+    try {
+      const result = await this.send({
+        severity: "info",
+        title: "Aegis Alert Test",
+        body: "This is a test alert from OpenClaw Aegis.",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      return result.success;
+    } catch {
+      return false;
+    }
+  }
+};
+function alertSeverityToTag(severity) {
+  switch (severity) {
+    case "critical":
+      return "rotating_light";
+    case "warning":
+      return "warning";
+    default:
+      return "information_source";
+  }
+}
+
+// src/alerts/providers/telegram.ts
+var TelegramProvider = class {
+  name = "telegram";
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  async send(alert) {
+    const start = Date.now();
+    const url = `https://api.telegram.org/bot${this.config.botToken}/sendMessage`;
+    const icon = alert.severity === "critical" ? "\u{1F6A8}" : alert.severity === "warning" ? "\u26A0\uFE0F" : "\u2139\uFE0F";
+    const text = `${icon} *${escapeMarkdown(alert.title)}*
+
+${escapeMarkdown(alert.body)}`;
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          chat_id: this.config.chatId,
+          text,
+          parse_mode: "MarkdownV2"
+        })
+      });
+      const data = await response.json();
+      return {
+        provider: this.name,
+        success: data.ok,
+        error: data.ok ? void 0 : data.description,
+        durationMs: Date.now() - start
+      };
+    } catch (err) {
+      return {
+        provider: this.name,
+        success: false,
+        error: err instanceof Error ? err.message : String(err),
+        durationMs: Date.now() - start
+      };
+    }
+  }
+  async test() {
+    try {
+      const result = await this.send({
+        severity: "info",
+        title: "Aegis Alert Test",
+        body: "This is a test alert from OpenClaw Aegis.",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      return result.success;
+    } catch {
+      return false;
+    }
+  }
+};
+function escapeMarkdown(text) {
+  return text.replace(/([_*[\]()~`>#+\-=|{}.!\\])/g, "\\$1");
+}
+
+// src/alerts/providers/whatsapp.ts
+var WhatsAppProvider = class {
+  name = "whatsapp";
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  async send(alert) {
+    const start = Date.now();
+    const url = `https://graph.facebook.com/v21.0/${this.config.phoneNumberId}/messages`;
+    const icon = alert.severity === "critical" ? "\u{1F6A8}" : alert.severity === "warning" ? "\u26A0\uFE0F" : "\u2139\uFE0F";
+    const text = `${icon} *${alert.title}*
+
+${alert.body}`;
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Authorization": `Bearer ${this.config.accessToken}`,
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          messaging_product: "whatsapp",
+          to: this.config.recipientNumber,
+          type: "text",
+          text: { body: text }
+        })
+      });
+      const data = await response.json();
+      const success = response.ok && !!data.messages?.length;
+      return {
+        provider: this.name,
+        success,
+        error: success ? void 0 : data.error?.message ?? `HTTP ${response.status}`,
+        durationMs: Date.now() - start
+      };
+    } catch (err) {
+      return {
+        provider: this.name,
+        success: false,
+        error: err instanceof Error ? err.message : String(err),
+        durationMs: Date.now() - start
+      };
+    }
+  }
+  async test() {
+    try {
+      const result = await this.send({
+        severity: "info",
+        title: "Aegis Alert Test",
+        body: "This is a test alert from OpenClaw Aegis.",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      return result.success;
+    } catch {
+      return false;
+    }
+  }
+};
+
+// src/alerts/providers/webhook.ts
+var crypto = __toESM(require("crypto"));
+var WebhookProvider = class {
+  name = "webhook";
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  async send(alert) {
+    const start = Date.now();
+    const body = JSON.stringify(alert);
+    const headers = { "Content-Type": "application/json" };
+    if (this.config.secret) {
+      const signature = crypto.createHmac("sha256", this.config.secret).update(body).digest("hex");
+      headers["X-Aegis-Signature"] = `sha256=${signature}`;
+    }
+    try {
+      const response = await fetch(this.config.url, {
+        method: "POST",
+        headers,
+        body
+      });
+      return {
+        provider: this.name,
+        success: response.ok,
+        error: response.ok ? void 0 : `HTTP ${response.status}`,
+        durationMs: Date.now() - start
+      };
+    } catch (err) {
+      return {
+        provider: this.name,
+        success: false,
+        error: err instanceof Error ? err.message : String(err),
+        durationMs: Date.now() - start
+      };
+    }
+  }
+  async test() {
+    try {
+      const result = await this.send({
+        severity: "info",
+        title: "Aegis Webhook Test",
+        body: "This is a test alert from OpenClaw Aegis.",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      return result.success;
+    } catch {
+      return false;
+    }
+  }
+};
+
+// src/alerts/providers/slack.ts
+var SlackProvider = class {
+  name = "slack";
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  async send(alert) {
+    const start = Date.now();
+    const icon = alert.severity === "critical" ? ":rotating_light:" : alert.severity === "warning" ? ":warning:" : ":information_source:";
+    const payload = {
+      text: `${icon} *${alert.title}*
+
+${alert.body}`
+    };
+    if (this.config.channel) {
+      payload.channel = this.config.channel;
+    }
+    try {
+      const response = await fetch(this.config.webhookUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(payload)
+      });
+      const ok = response.ok;
+      return {
+        provider: this.name,
+        success: ok,
+        error: ok ? void 0 : `HTTP ${response.status}`,
+        durationMs: Date.now() - start
+      };
+    } catch (err) {
+      return {
+        provider: this.name,
+        success: false,
+        error: err instanceof Error ? err.message : String(err),
+        durationMs: Date.now() - start
+      };
+    }
+  }
+  async test() {
+    try {
+      const result = await this.send({
+        severity: "info",
+        title: "Aegis Alert Test",
+        body: "This is a test alert from OpenClaw Aegis.",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      return result.success;
+    } catch {
+      return false;
+    }
+  }
+};
+
+// src/alerts/providers/discord.ts
+var DiscordProvider = class {
+  name = "discord";
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  async send(alert) {
+    const start = Date.now();
+    const color = alert.severity === "critical" ? 15548997 : alert.severity === "warning" ? 16705372 : 5763719;
+    const payload = {
+      embeds: [{
+        title: alert.title,
+        description: alert.body,
+        color,
+        timestamp: alert.timestamp,
+        footer: { text: "OpenClaw Aegis" }
+      }]
+    };
+    if (this.config.username) {
+      payload.username = this.config.username;
+    }
+    try {
+      const response = await fetch(this.config.webhookUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(payload)
+      });
+      const ok = response.status === 204 || response.ok;
+      return {
+        provider: this.name,
+        success: ok,
+        error: ok ? void 0 : `HTTP ${response.status}`,
+        durationMs: Date.now() - start
+      };
+    } catch (err) {
+      return {
+        provider: this.name,
+        success: false,
+        error: err instanceof Error ? err.message : String(err),
+        durationMs: Date.now() - start
+      };
+    }
+  }
+  async test() {
+    try {
+      const result = await this.send({
+        severity: "info",
+        title: "Aegis Alert Test",
+        body: "This is a test alert from OpenClaw Aegis.",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      return result.success;
+    } catch {
+      return false;
+    }
+  }
+};
+
+// src/alerts/providers/email.ts
+var net2 = __toESM(require("net"));
+var tls = __toESM(require("tls"));
+var EmailProvider = class {
+  name = "email";
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  async send(alert) {
+    const start = Date.now();
+    const icon = alert.severity === "critical" ? "[CRITICAL]" : alert.severity === "warning" ? "[WARNING]" : "[INFO]";
+    const subject = `${icon} ${alert.title}`;
+    try {
+      await this.sendSmtp(subject, alert.body);
+      return {
+        provider: this.name,
+        success: true,
+        durationMs: Date.now() - start
+      };
+    } catch (err) {
+      return {
+        provider: this.name,
+        success: false,
+        error: err instanceof Error ? err.message : String(err),
+        durationMs: Date.now() - start
+      };
+    }
+  }
+  async test() {
+    try {
+      const result = await this.send({
+        severity: "info",
+        title: "Aegis Alert Test",
+        body: "This is a test alert from OpenClaw Aegis.",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      return result.success;
+    } catch {
+      return false;
+    }
+  }
+  sendSmtp(subject, body) {
+    return new Promise((resolve, reject) => {
+      const timeout = 15e3;
+      let socket;
+      const connect2 = () => {
+        if (this.config.secure) {
+          socket = tls.connect({
+            host: this.config.host,
+            port: this.config.port,
+            rejectUnauthorized: true
+          });
+        } else {
+          socket = net2.createConnection({
+            host: this.config.host,
+            port: this.config.port
+          });
+        }
+        socket.setTimeout(timeout);
+        let buffer = "";
+        let step = 0;
+        const commands = [
+          `EHLO aegis\r
+`,
+          `AUTH LOGIN\r
+`,
+          `${Buffer.from(this.config.username).toString("base64")}\r
+`,
+          `${Buffer.from(this.config.password).toString("base64")}\r
+`,
+          `MAIL FROM:<${this.config.from}>\r
+`,
+          `RCPT TO:<${this.config.to}>\r
+`,
+          `DATA\r
+`,
+          `From: ${this.config.from}\r
+To: ${this.config.to}\r
+Subject: ${subject}\r
+Content-Type: text/plain; charset=utf-8\r
+X-Mailer: OpenClaw-Aegis\r
+\r
+${body}\r
+.\r
+`,
+          `QUIT\r
+`
+        ];
+        socket.on("data", (data) => {
+          buffer += data.toString();
+          const lines = buffer.split("\r\n");
+          buffer = lines.pop() ?? "";
+          for (const line of lines) {
+            if (!line) continue;
+            const code = parseInt(line.substring(0, 3), 10);
+            if (line.charAt(3) === "-") continue;
+            if (code >= 400) {
+              socket.destroy();
+              reject(new Error(`SMTP error: ${line}`));
+              return;
+            }
+            if (step < commands.length) {
+              socket.write(commands[step]);
+              step++;
+            }
+            if (step >= commands.length && code === 221) {
+              socket.end();
+              resolve();
+              return;
+            }
+          }
+        });
+        socket.on("timeout", () => {
+          socket.destroy();
+          reject(new Error("SMTP connection timed out"));
+        });
+        socket.on("error", (err) => {
+          reject(new Error(`SMTP error: ${err.message}`));
+        });
+      };
+      if (!this.config.secure && this.config.port === 587) {
+        const plain = net2.createConnection({
+          host: this.config.host,
+          port: this.config.port
+        });
+        plain.setTimeout(timeout);
+        let buf = "";
+        let startTlsSent = false;
+        let ehloSent = false;
+        plain.on("data", (data) => {
+          buf += data.toString();
+          const lines = buf.split("\r\n");
+          buf = lines.pop() ?? "";
+          for (const line of lines) {
+            if (!line) continue;
+            const code = parseInt(line.substring(0, 3), 10);
+            if (line.charAt(3) === "-") continue;
+            if (code >= 400) {
+              plain.destroy();
+              reject(new Error(`SMTP error: ${line}`));
+              return;
+            }
+            if (!ehloSent) {
+              plain.write("EHLO aegis\r\n");
+              ehloSent = true;
+            } else if (!startTlsSent) {
+              plain.write("STARTTLS\r\n");
+              startTlsSent = true;
+            } else if (code === 220 && startTlsSent) {
+              socket = tls.connect({
+                socket: plain,
+                host: this.config.host,
+                rejectUnauthorized: true
+              }, () => {
+                let step2 = 0;
+                let buffer2 = "";
+                const cmds = [
+                  `EHLO aegis\r
+`,
+                  `AUTH LOGIN\r
+`,
+                  `${Buffer.from(this.config.username).toString("base64")}\r
+`,
+                  `${Buffer.from(this.config.password).toString("base64")}\r
+`,
+                  `MAIL FROM:<${this.config.from}>\r
+`,
+                  `RCPT TO:<${this.config.to}>\r
+`,
+                  `DATA\r
+`,
+                  `From: ${this.config.from}\r
+To: ${this.config.to}\r
+Subject: ${subject}\r
+Content-Type: text/plain; charset=utf-8\r
+X-Mailer: OpenClaw-Aegis\r
+\r
+${body}\r
+.\r
+`,
+                  `QUIT\r
+`
+                ];
+                socket.write(cmds[0]);
+                step2 = 1;
+                socket.on("data", (d) => {
+                  buffer2 += d.toString();
+                  const ls = buffer2.split("\r\n");
+                  buffer2 = ls.pop() ?? "";
+                  for (const l of ls) {
+                    if (!l) continue;
+                    const c = parseInt(l.substring(0, 3), 10);
+                    if (l.charAt(3) === "-") continue;
+                    if (c >= 400) {
+                      socket.destroy();
+                      reject(new Error(`SMTP error: ${l}`));
+                      return;
+                    }
+                    if (step2 < cmds.length) {
+                      socket.write(cmds[step2]);
+                      step2++;
+                    }
+                    if (step2 >= cmds.length && c === 221) {
+                      socket.end();
+                      resolve();
+                      return;
+                    }
+                  }
+                });
+              });
+              return;
+            }
+          }
+        });
+        plain.on("timeout", () => {
+          plain.destroy();
+          reject(new Error("SMTP connection timed out"));
+        });
+        plain.on("error", (err) => {
+          reject(new Error(`SMTP error: ${err.message}`));
+        });
+      } else {
+        connect2();
+      }
+    });
+  }
+};
+
+// src/alerts/providers/pushover.ts
+var PushoverProvider = class {
+  name = "pushover";
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  async send(alert) {
+    const start = Date.now();
+    const priority = alert.severity === "critical" ? 1 : alert.severity === "warning" ? 0 : -1;
+    const params = {
+      token: this.config.apiToken,
+      user: this.config.userKey,
+      title: alert.title,
+      message: alert.body,
+      priority: String(priority),
+      timestamp: String(Math.floor(new Date(alert.timestamp).getTime() / 1e3))
+    };
+    if (this.config.device) {
+      params.device = this.config.device;
+    }
+    try {
+      const response = await fetch("https://api.pushover.net/1/messages.json", {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams(params).toString()
+      });
+      const data = await response.json();
+      const ok = data.status === 1;
+      return {
+        provider: this.name,
+        success: ok,
+        error: ok ? void 0 : data.errors?.join(", ") ?? `HTTP ${response.status}`,
+        durationMs: Date.now() - start
+      };
+    } catch (err) {
+      return {
+        provider: this.name,
+        success: false,
+        error: err instanceof Error ? err.message : String(err),
+        durationMs: Date.now() - start
+      };
+    }
+  }
+  async test() {
+    try {
+      const result = await this.send({
+        severity: "info",
+        title: "Aegis Alert Test",
+        body: "This is a test alert from OpenClaw Aegis.",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      return result.success;
+    } catch {
+      return false;
+    }
+  }
+};
+
+// src/cli/commands/test-alert.ts
+var testAlertCommand = new import_commander4.Command("test-alert").description("Send a test alert to all configured channels").option("-c, --config <path>", "Config file path", DEFAULT_CONFIG_PATH).action(async (opts) => {
+  const config = loadConfig(opts.config);
+  if (config.alerts.channels.length === 0) {
+    console.log("No alert channels configured. Run 'aegis init' to add one.");
+    process.exit(1);
+  }
+  const dispatcher = new AlertDispatcher(1, [1e3]);
+  for (const ch of config.alerts.channels) {
+    switch (ch.type) {
+      case "ntfy":
+        dispatcher.addProvider(new NtfyProvider(ch));
+        break;
+      case "telegram":
+        dispatcher.addProvider(new TelegramProvider(ch));
+        break;
+      case "whatsapp":
+        dispatcher.addProvider(new WhatsAppProvider(ch));
+        break;
+      case "webhook":
+        dispatcher.addProvider(new WebhookProvider(ch));
+        break;
+      case "slack":
+        dispatcher.addProvider(new SlackProvider(ch));
+        break;
+      case "discord":
+        dispatcher.addProvider(new DiscordProvider(ch));
+        break;
+      case "email":
+        dispatcher.addProvider(new EmailProvider(ch));
+        break;
+      case "pushover":
+        dispatcher.addProvider(new PushoverProvider(ch));
+        break;
+    }
+  }
+  const alert = {
+    severity: "info",
+    title: "Aegis Test Alert",
+    body: "This is a test notification from OpenClaw Aegis. If you see this, alerts are working.",
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  console.log(`Sending test alert to ${dispatcher.getProviders().length} channel(s)...
+`);
+  const result = await dispatcher.dispatch(alert);
+  for (const r of result.results) {
+    if (r.success) {
+      console.log(`  + ${r.provider}: sent (${r.durationMs}ms)`);
+    } else {
+      console.log(`  - ${r.provider}: failed \u2014 ${r.error}`);
+    }
+  }
+  console.log(result.sent ? "\nTest alert sent successfully." : "\nAll channels failed.");
+  process.exit(result.sent ? 0 : 1);
+});
+
+// src/cli/index.ts
+var program = new import_commander5.Command();
+program.name("aegis").description("OpenClaw Aegis \u2014 self-healing sidecar for the OpenClaw gateway").version("1.0.0");
+program.addCommand(initCommand);
+program.addCommand(statusCommand);
+program.addCommand(checkCommand);
+program.addCommand(testAlertCommand);
+program.parse(process.argv);
+//# sourceMappingURL=index.js.map